Security experts have uncovered a new local privilege escalation (LPE) vulnerability within the Linux kernel, identified as Fragnesia, which permits attackers to gain root access. This discovery marks the third such vulnerability found in the kernel over the last two weeks. The flaw is classified under CVE-2026-46300, boasting a CVSS score of 7.8, and was identified by William Bowling from the V12 security team.
Details of the Fragnesia Vulnerability
Fragnesia exploits a flaw in the XFRM ESP-in-TCP subsystem of the Linux kernel, allowing unprivileged users to alter read-only file contents within the kernel page cache. As reported by Google-owned Wiz, attackers can leverage this flaw to escalate privileges to root through a deterministic page-cache corruption.
Security advisories have been issued by several Linux distributions, with V12 highlighting that this bug, although distinct from the Dirty Frag issue, shares the same attack surface. The vulnerability enables arbitrary byte writes into the kernel page cache of read-only files without a race condition, presenting a serious security risk.
Mitigation and Security Measures
Users who previously applied the Dirty Frag mitigation need not take further immediate action until official patches are released, according to CloudLinux maintainers. Meanwhile, Red Hat is assessing whether existing mitigations cover this new threat. Wiz has cautioned that AppArmor restrictions might offer limited protection, necessitating additional bypasses for successful exploitation.
Microsoft has urged users to apply available patches swiftly, even though there have been no reports of in-the-wild exploitation. They recommend disabling certain functionalities, limiting shell access, and enhancing monitoring to detect unusual privilege escalation attempts.
Emerging Threats and Exploit Market
Coinciding with the Fragnesia revelation, a cybercriminal known as “berz0k” has surfaced on forums, marketing a zero-day Linux LPE exploit for $170,000. The exploit reportedly affects multiple major Linux distributions and operates without causing system crashes, leveraging a TOCTOU-based method.
The cybersecurity community remains on high alert as the market for Linux vulnerabilities continues to evolve, urging organizations to fortify their systems against potential threats while awaiting comprehensive patch deployments.
In conclusion, the Fragnesia vulnerability underscores the need for continuous vigilance and timely application of security patches to safeguard against escalating threats in the Linux ecosystem.
